Apple urges Australian government not to weaken encryption with backdoors

Apple has submitted its formal response to a draft bill undergoing debate by the Australian government, with the iPhone maker calling for “increasingly stronger – not weaker – encryption” as a way to protect against the growing number of online threats.

Provided to AppleInsider by Apple, the the seven-page submission to the Australian Parliamentary Joint Committee on Intelligence and Security on the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018,” arguing for clarity on the bill’s aims, and encouraging the government to avoid going down the route of weakening encryption.

Introduced to the parliamentary calendar in August, the bill proposes updates to the country’s telecommunications-related laws, including a need for private sector firms to “provide greater assistance to agencies.” While the bill demands assistance from companies like Apple, the language used is ambiguous enough to potentially mean the creation of backdoors into encrypted apps and services, something which many tech companies strongly disagree with.

Noting Apple’s role in protecting national security and citizen’s lives, and its teams working to stay one step ahead of criminal attackers, the letter claims the threats that pry for personal data or co-opting hardware for broader assaults “only grow more serious and sophisticated over time.

“It is precisely because of these threats that we support strong encryption,” Apple assets. Highlighting the trillion transactions conducted online and protected by encryption every day, the threats to these communications are said to be “very real and increasingly sophisticated.”

Referencing the government’s Notifiable Data Breaches database’s records of 2.5 or more daily data breaches over the last quarter, – “And that’s just breaches that were identified and reported,” Apple offers up the NotPetya attack from 2017 as an example of a need for robust security, an attack which effectively shut down Cadbury’s manufacturing systems and impacting other firms.

“In the face of these threats, this is no time to weaken encryption. There is a profound risk of making criminals’ jobs easier, not harder,” writes Apple. “Increasingly stronger – not weaker – encryption is the best way to protect against these threats.”

Apple assists Australian law enforcement now

Apple also challenges the suggestion that weaker encryption is needed to help law enforcement. The company works with the Australian government and other law enforcement agencies globally in the interest of public safety. In Australia alone, it has processed over 26,000 requests from local security forces over the last five years, and recently announced efforts to expand its law enforcement training efforts for obtaining information from the company within its legal guidelines.

There is encouragement for the government to “stand by their stated intention not to weaken encryption or compel providers to build systemic weaknesses into their products,” but due to the “breadth and vagueness of the bill’s authorities” and “ill-defined restrictions,” Apple suggests the intention is not being met by the bill in its current form.

Broad surveillance isn’t good for Apple, or Australian citizens

Apple suggests the bill could force smart home speakers to install persistent eavesdropping capabilities, or require a provider to monitor health data of its customers for signs of drug use, or the creation of a tool to unlock a specific user’s device, even if that tool could be used to unlock every other user’s devices as well.

“All of these capabilities should be as alarming to every Australian as they are to us,” Apple adds, before calling for the laws to be “clear and unambiguous.”

“Encryption is the single best tool we have to protect data and ultimately lives. Software innovations of the future will depend on the foundation of strong device security,” said Apple. “To allow for those protections to be weakened in any way slows our pace of progress and puts everyone at risk.”

The submission then goes on to highlight specific overarching themes that those working on the draft of the bill need to take into account. First, the company complains about how “Overly broad authorities could weaken cybersecurity and encryption.”

“For instance, the government may seek to compel a provider to develop custom software to bypass a particular device’s encryption. The government’s view is that if it only seeks such tool for a particular user’s device, it will create no systemic risk,” argued Apple. “As we have firmly stated, however, the development of such a tool, even if deployed only to one phone, would render everyone’s encryption and security less effective.”

This echoes previous comments made by Apple CEO Tim Cook, arguing the technique is analogous to leaving a key under a doormat, an action that makes it available to authorities if necessary, but also makes it findable by burglars. “Criminals are using every technology tool at their disposal to hack into people’s accounts,” said Cook. “If they know theres a key hidden somewhere, they won’t stop until they find it.”

The bill isn’t specific enough

The submission then goes on to highlight specific overarching themes that those working on the draft of the bill need to take into account. First, the company complains about how “Overly broad authorities could weaken cybersecurity and encryption.”

“For instance, the government may seek to compel a provider to develop custom software to bypass a particular device’s encryption. The government’s view is that if it only seeks such tool for a particular user’s device, it will create no systemic risk,” argued Apple. “As we have firmly stated, however, the development of such a tool, even if deployed only to one phone, would render everyone’s encryption and security less effective.”

Not the first time that Apple has said this

This echoes previous comments made by Apple CEO Tim Cook, arguing the technique is analogous to leaving a key under a doormat, an action that makes it available to authorities if necessary, but also makes it findable by burglars. “Criminals are using every technology tool at their disposal to hack into people’s accounts,” said Cook. “If they know theres a key hidden somewhere, they won’t stop until they find it.”

Apple also advises insufficient judicial review can reduce customer trust and security, arguing there is concern that an independent judicial review is not required before the government could issue a technical assistance notice (TAN) or capability notice (TCN). The UK’s Investigatory Powers Act is suggested as a model Australia could follow, as it requires such reviews before a provider can be served a notice.

There is also a concern the key factual determinations depend only on the government’s own assessment on circumstances and the technical complexities involved. The government is advised it should take into account other views, such as from security experts, academics, and privacy concerns, before making any determinations.

Whistleblowers beware

The bill also introduces problems regarding its secrecy requirements, in that while they are welcomed in principle, they are too broad and could stifle innocent disclosures, or disclosures for the purpose of reporting abuse.

“If an engineer working for a provider tasked with complying with a TCN had a legitimate legal or ethical concern, they could be imprisoned for five years for merely disclosing the fact of a TCN to his or her employer’s human resources office,” wrote Apple. “Similarly, an employee of a provider who legitimately believed a TAN or TCN violated the law, could not disclose that concern for fear of punishment.”

Apple suggests there should be more of a balance between maintaining secrecy and giving customers and providers the laws are “being executed properly and lawfully.”

Incompatible internationally

Lastly, Apple expresses concern over how the laws would impact companies outside Australia, as while the draft advises it is an allowable defense for a provider to claim a TCN or TAN may contravene a foreign jurisdiction’s law if they are based abroad, it doesn’t go far enough. The bill does grant immunity for compliance with TAN or TCNs, it only applies to Australia, and does not take into account breaches of laws in other countries while complying to the notice.

“Forcing business with operations outside Australia to comply with TANs or TCNs that violate the laws of other countries in which they operate, will just incentivize criminals to use service providers that never assist Australian authorities or ones that operate underground in jurisdictions unfriendly to Australian interests,” Apple concluded. “Rather than serving the interests of Australian law enforcement, it will just weaken the security and privacy of regular customers while pushing criminals further off the grid.”

Earlier in October, it was revealed Apple was joining Alphabet, Amazon, and Facebook in opposing the proposals, a continuation of a campaign by tech companies to fight backdoors and other legislative changes that weaken security for all users. The firms have previously issued statements to various governments and security agencies around the world to combat the growing calls by lawmakers and heads of law enforcement agencies to make it easier to access hard-to-obtain information that is securely encrypted.

Outside of tech companies, some lawmakers in the U.S. are attempting to put a stop to similar measures being implemented by the government. The “Secure Data Act,” proposed in May, aims to prevent courts and federal agencies from issuing orders to create backdoors or other security-weakening features.